External Identity Providers

Registered by Joe Savak on 2013-08-06

As OpenStack gains enterprise traction, the need to allow non-Keystone identities to log-in to Horizon or execute APIs becomes more relevant. Consider the following use-cases:

    Acme has their own cloud setup running Keystone against their back-end Active Directory. They would like to automatically burst VM provisioning and/or utilization to a public cloud service provider according to capacity and usage rules.
They would like to enable identity federation so there is only one credential set needed between the 2 clouds.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
Joe Savak
Direction:
Needs approval
Assignee:
Marek Denis
Definition:
Pending Approval
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Dolph Mathews on 2013-12-10
Completed by
Dolph Mathews on 2014-02-03

Related branches

Sprints

Whiteboard

blueprint saml-id (https://blueprints.launchpad.net/keystone/+spec/saml-id) dependency

Gerrit topic: https://review.openstack.org/#q,topic:bp/virtual-idp,n,z

Specified by: https://review.openstack.org/#/c/59846/ (merged)
    Add IdP management extension (Federation pt1)

Addressed by: https://review.openstack.org/60244 (merged)
    Virtual Identity Providers CRUD operations.

Addressed by: https://review.openstack.org/60608 (abandoned)
    Virtual Identity Providers CRUD operations.

Gerrit topic: https://review.openstack.org/#q,topic:bp/mapping,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bp/identity-providers,n,z

Addressed by: https://review.openstack.org/69223 (merged)
    Fix federation documentation reference

Addressed by: https://review.openstack.org/69224 (merged)
    Remove autoincrement from String column.

Addressed by: https://review.openstack.org/69225 (merged)
    Fix docstrings in federation controller.

Addressed by: https://review.openstack.org/69226 (merged)
    Don't set default for a nullable column

Addressed by: https://review.openstack.org/69227 (abandoned)
    Use self or cls for local references

Addressed by: https://review.openstack.org/69228 (merged)
    Refactor mutable parameter handling

Addressed by: https://review.openstack.org/69229 (merged)
    Refactor federation controller class hierarchy

Addressed by: https://review.openstack.org/69230 (merged)
    Remove unnecessary test methods

Addressed by: https://review.openstack.org/69244 (merged)
    Federation IdentityProvider filter fields on update response

(?)

Work Items

Work items:
Suggested workflow sent to mailing list: TODO
Feedback incorporated: TODO
Trusted Service Provider/Identity Provider v3 contract suggestions: TODO
Feedback incorporated: TODO
SAML request/response to bearer token: TODO
Validate token changes: TODO
Revoke token changes: TODO
Service catalog (likely new blueprint): TODO

Dependency tree

* Blueprints in grey have been implemented.